TrickBot Variant Enables SIM Swapping Attacks: Report

A new variant of the TrickBot banking Trojan is enabling attackers to conduct SIM swapping schemes against Verizon Wireless, Sprint and T-Mobile customers in the U.S., potentially paving the way for account takeover fraud, according to a report from Dell's SecureWorks division.

The operators of this version of TrickBot are able to intercept a victim's PIN as well as other credentials when they attempt to log onto the websites of the three wireless carriers, according to the report.

This allows for a so-called SIM attack, which involves taking a victim's phone number and porting it to another SIM card that is then under the control of the attackers. Then an attacker can collect one-time passwords or trick telecom employees into giving out information about the victim through social engineering techniques. These moves create opportunities for further attacks, such as account takeover schemes.

"Interception of short message service (SMS)-based authentication tokens or password resets is frequently used during account takeover fraud," the SecureWorks report notes

Account takeover attacks can pave the way for credential stuffing - a technique used to guess passwords and users names to steal data or access even more data from a variety of accounts because many people reuse the same credentials over and over again.

Security vendor Akamai released a study earlier this year that found approximately 30 billion credential stuffing attempts during the course of 2018.

Other banking Trojans have also found new purposes. For instance, the Emotet banking Trojan has involved into a botnet that undergoes a burst of activity every few months, delivering malicious code to victims before quieting down again. In many cases, Emotet is used to deliver Trickbot as well as ransomware attacks (see: Emotet Botnet Shows Signs of Revival).

In its report, SecureWorks says the new version of TrickBot it discovered was developed by a threat group called "Gold Blackburn," but not much is known about the group's origins or motivations.

The Verizon page on the left is infected with TrickBot and asks for the PIN. The one on the right is legitimate. (Image: SecureWorks)

The group uses a technique called "web inject," which intercepts the network traffic of a legitimate website using a command-and-control server. As the user attempts to access the site, the attackers inject malicious code into the website. The attackers use either their own HTML or JavaScript code, according to SecureWorks.

The researchers noticed a TrickBot attack against the Verizon log-in web page on Aug 5. Then, they discovered an attack against T-Mobile on Aug. 12 and Sprint on Aug. 19, according to the report.

In these attacks, once the extra code is injected, a website user is prompted for a PIN before logging in. In the case of Verizon, the legitimate log-in page doesn't ask for a PIN - only the username and password, according to SecureWorks.

After the victim has entered the PIN, password and username, that data is collected by the attackers' command-and-control server, according to SecureWorks.

About the Author

Asokan is senior correspondent for Information Security Media Group's global news desk. She has previously worked with IDG and other publications where she reported on developments in technology, minority-rights and education.

Operation Success!

Risk Management Framework: Learn from NIST

From heightened risks to increased regulations, senior leaders at all levels are pressured to
improve their organizations' risk management capabilities. But no one is showing them how -
until now.

Learn the fundamentals of developing a risk management program from the man who wrote the book
on the topic: Ron Ross, computer scientist for the National Institute of Standards and
Technology. In an exclusive presentation, Ross, lead author of NIST Special Publication 800-37
- the bible of risk assessment and management - will share his unique insights on how to:

Understand the current cyber threats to all public and private sector organizations;

Develop a multi-tiered risk management approach built upon governance, processes and
information systems;

Enter your email address to reset your password

Already have anISMG account?

Forgot Your Password Message:

Contact Us

Already have anISMG account?

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing careersinfosecurity.in, you agree to our use of cookies.